Docs HomeMongoDB Manual

system.roles Collection集合

On this page本页内容

The system.roles collection in the admin database stores the user-defined roles. admin数据库中的system.roles集合存储用户定义的角色。To create and manage these user-defined roles, MongoDB provides role management commands.为了创建和管理这些用户定义的角色,MongoDB提供了角色管理命令

system.roles Schema架构

The documents in the system.roles collection have the following schema:system.roles集合中的文档具有以下架构:

{
  _id: <system-defined id>,
  role: "<role name>",
  db: "<database>",
  privileges:
      [
          {
              resource: { <resource> },
              actions: [ "<action>", ... ]
          },
          ...
      ],
  roles:
      [
          { role: "<role name>", db: "<database>" },
          ...
      ]
}

A system.roles document has the following fields:system.roles文档包含以下字段:

admin.system.roles.role

The role field is a string that specifies the name of the role.role字段是一个字符串,用于指定角色的名称。

admin.system.roles.db

The db field is a string that specifies the database to which the role belongs. db字段是一个字符串,用于指定角色所属的数据库。MongoDB uniquely identifies each role by the pairing of its name (i.e. role) and its database.MongoDB通过名称(即role)和数据库的配对来唯一标识每个角色。

admin.system.roles.privileges

The privileges array contains the privilege documents that define the privileges for the role.privileges数组包含定义角色权限的权限文档。

A privilege document has the following syntax:权限文档具有以下语法:

{
  resource: { <resource> },
  actions: [ "<action>", ... ]
}

Each privilege document has the following fields:每个权限文档都有以下字段:

admin.system.roles.privileges[n].resource

A document that specifies the resources upon which the privilege actions apply. 一种文档,用于指定应用权限actions的资源。The document has one of the following form:该文件具有以下形式之一:

{ db: <database>, collection: <collection> }

or或者

{ cluster : true }

See Resource Document for more details.有关详细信息,请参阅资源文档

admin.system.roles.privileges[n].actions

An array of actions permitted on the resource. 允许对资源执行的操作的数组。For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作

admin.system.roles.roles

The roles array contains role documents that specify the roles from which this role inherits privileges.roles数组包含指定此角色从中继承权限的角色的角色文档。

A role document has the following syntax:角色文档具有以下语法:

{ role: "<role name>", db: "<database>" }

A role document has the following fields:角色文档包含以下字段:

admin.system.roles.roles[n].role

The name of the role. 角色的名称。A role can be a built-in role provided by MongoDB or a user-defined role.角色可以是MongoDB提供的内置角色,也可以是用户定义的角色

admin.system.roles.roles[n].db

The name of the database where the role is defined.定义角色的数据库的名称。

Examples实例

Consider the following sample documents found in system.roles collection of the admin database.请考虑在admin数据库的system.roles集合中找到的以下示例文档。

A User-Defined Role Specifies Privileges用户定义的角色指定权限

The following is a sample document for a user-defined role appUser defined for the myApp database:以下是为myApp数据库定义的用户定义角色appUser的示例文档:

{
  _id: "myApp.appUser",
  role: "appUser",
  db: "myApp",
  privileges: [
       { resource: { db: "myApp" , collection: "" },
         actions: [ "find", "createCollection", "dbStats", "collStats" ] },
       { resource: { db: "myApp", collection: "logs" },
         actions: [ "insert" ] },
       { resource: { db: "myApp", collection: "data" },
         actions: [ "insert", "update", "remove", "compact" ] },
       { resource: { db: "myApp", collection: "system.js" },
         actions: [ "find" ] },
  ],
  roles: []
}

The privileges array lists the five privileges that the appUser role specifies:privileges数组列出了appUser角色指定的五种权限:

  • The first privilege permits its actions ( "find", "createCollection", "dbStats", "collStats") on all the collections in the myApp database excluding its system collections. 第一个权限允许其对myApp数据库中的所有集合(不包括其系统集合)执行操作("find""createCollection""dbStats""collStats")。See Specify a Database as Resource.请参见将数据库指定为资源
  • The next two privileges permits additional actions on specific collections, logs and data, in the myApp database. 接下来的两个权限允许对myApp数据库中的特定集合、logsdata执行其他操作。See Specify a Collection of a Database as Resource.请参见将数据库的集合指定为资源
  • The last privilege permits actions on one system collections in the myApp database. 最后一个权限允许对myApp数据库中的一个系统集合执行操作。While the first privilege gives database-wide permission for the find action, the action does not apply to myApp's system collections. 虽然第一个权限为find操作提供数据库范围的权限,但该操作不适用于myApp的系统集合。To give access to a system collection, a privilege must explicitly specify the collection. See Resource Document.若要授予对系统集合的访问权限,权限必须显式指定该集合。请参阅资源文档

As indicated by the empty roles array, appUser inherits no additional privileges from other roles.如空roles数组所示,appUser不会从其他角色继承任何其他权限。

User-Defined Role Inherits from Other Roles用户定义的角色继承自其他角色

The following is a sample document for a user-defined role appAdmin defined for the myApp database: The document shows that the appAdmin role specifies privileges as well as inherits privileges from other roles:以下是为myApp数据库定义的用户定义角色appAdmin的示例文档:该文档显示appAdmin角色指定权限以及从其他角色继承权限:

{
  _id: "myApp.appAdmin",
  role: "appAdmin",
  db: "myApp",
  privileges: [
      {
         resource: { db: "myApp", collection: "" },
         actions: [ "insert", "dbStats", "collStats", "compact" ]
      }
  ],
  roles: [
      { role: "appUser", db: "myApp" }
  ]
}

The privileges array lists the privileges that the appAdmin role specifies. privileges数组列出appAdmin角色指定的权限。This role has a single privilege that permits its actions ( "insert", "dbStats", "collStats", "compact") on all the collections in the myApp database excluding its system collections. 此角色具有单一权限,允许其对myApp数据库中的所有集合(不包括其系统集合)执行操作("insert""dbStats""collStats""compact")。See Specify a Database as Resource.请参见将数据库指定为资源

The roles array lists the roles, identified by the role names and databases, from which the role appAdmin inherits privileges.roles数组列出由角色名称和数据库标识的角色,角色appAdmin从中继承权限。